scripts/acmesh.md

2.6 KiB

acme.sh TLS Certificates

Install acme.sh

Add separate user acmeuser.

adduser --disabled-login acmeuser

Install acme.sh as separate user acmeuser

mkdir /etc/acmesh
chown acmeuser /etc/acmesh
sudo -su acmeuser

# Run these commands as user acmeuser
cd ~
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install  \
--home /etc/acmesh \
--accountemail  "hostmaster@domain.tld"
cd ~ && rm -r acme.sh
source ~/.bashrc
acme.sh --set-default-ca --server letsencrypt

Allow user acmeuser to reload nginx, etc.

# Uncomment "includedir /etc/sudoers.d" in /etc/sudoers
sed -e '/includedir/ s/^##*/#/g' -i /etc/sudoers
cat >/etc/sudoers.d/acmeuser <<EOL
acmeuser ALL=NOPASSWD: /usr/bin/systemctl reload nginx.service
EOL

Set up DNS validation with knsupdate (Knot)

Specify the DNS server which hosts your zone and the TSIG key which can update the zone via dynamic updates.

apt install -y knot-dnsutils

export KNOT_SERVER="dns.domain.tld"
export KNOT_KEY=hmac-sha512:sub.domain.tld:SuperSecretKey==

Issue a certificate

DOMAINLE=sub.domain.tld; acme.sh --issue -d $DOMAINLE --dns dns_knot --ecc -k ec-384

Install a certificate

# --cert-file <file>                Path to copy the cert file to after issue/renew.
# --key-file <file>                 Path to copy the key file to after issue/renew.
# --ca-file <file>                  Path to copy the intermediate cert file to after issue/renew.
# --fullchain-file <file>           Path to copy the fullchain cert file to after issue/renew.
# --reloadcmd <command>             Command to execute after issue/renew to reload the server.

DOMAINLE=sub.domain.tld
CERTPATH=/etc/ssl/private/$DOMAINLE
mkdir -p $CERTPATH
acme.sh --install-cert -d $DOMAINLE --ecc \
    --fullchain-file $CERTPATH/fullchain.pem \
    --key-file $CERTPATH/privkey.pem \
    --ca-file $CERTPATH/chain.pem \
    --reloadcmd "sudo /usr/bin/systemctl reload nginx.service"

Set up notifications

Follow instructions for gotify notifications first.

Enable notifications via mail (requires local MTA set up for sending mails) and gotify.

acme.sh --set-notify \
    --notify-hook mail \
    --notify-hook gotify \
    --notify-level 2 \
    --notify-mode 0

Set correct permissions

usermod -a -G www-data acmeuser
chown -R acmeuser:ssl-cert /etc/ssl/private
chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
chmod -R 750 /etc/ssl/private
find /etc/ssl/private/ -type f -print0 | xargs -0 chmod 0640